Malware alert: Dump on WikiLeaks contained over 3,000 malicious files

Malware expert Vesselin Bontchev discovered 323 malware instances in his first scan of WikiLeaks' email dump from Turkey’s ruling political party; he listed 3,277 in his second report. WikiLeaks quietly 'neutered' some of the malware.

Dr. Vesselin Bontchev, an assistant professor at the National Laboratory of Computer Virology, which is part of the Bulgarian Academy of Sciences, found 3,277 malicious files on WikiLeaks after he scanned the email dump from Turkey’s ruling political party (AKP).

On GitHub, the malware pro said the list of malware hosted by WikiLeaks is “by no means exhaustive.” But if he listed it, then it is definitely malware indexed by VirusTotal. Incidentally, he is still not done scanning.

When attempting to verify the 300+ malware instances reported by The Register, it was a shocker to count thousands of links to malware – more than 3,000 – in Bontchev’s report. So I asked him if he was done scanning and to confirm the total.

Bontchev explained to me that when he first discovered the malware in the AKP dump posted on WikiLeaks, he did not check for malicious attachments in duplicate or spam emails. Additionally, if the same malicious file was attached to multiple emails, he only counted it once for his first report. What he found was 323 malicious files.

He previously told WikiLeaks to “run a virus scanner on those leaked emails! Distributing malware is not ‘journalism’ by any definition of the term!”

Indeed, WikiLeaks quietly “neutered” the malware which was listed in Bontchev’s first report. He calls it “neutered” instead of “deleted” because the malware is still there; it’s just more difficult to download and get infected by mistake.

After again searching the AKP dump, including spam and duplicates, Bontchev’s second report has 3,277 entries. So it those plus the 323 malware instances which he listed in his first report.

In his report, he used three columns for each piece of malware he found; the first links to the email on WikiLeaks which contains malware. “The e-mail itself is safe to view (although the text is usually spam/scam/phish/whatever),” he wrote.

The second column has the link to the actual malicious email attachment; since it is a direct link and clicking on it would download the malware, Bontchev replaced “https” with “hxxxx” and added brackets as well to the URL.

It’s unknown why WikiLeaks didn’t give him at least a hat tip of recognition, nevertheless a thank you, before neutering those links to malicious attachments. The malware is still there, but now it is base64-encoded. It would require decoding it manually before the malware could be executed, he explained.

The third column links to VirusTotal where the malware has been given various names by different antivirus vendors. That page also lists how many antivirus solutions can detect the malware. Bontchev has been a malware researcher for 28 years, so he said he didn’t need VirusTotal to tell him if something was malware. In fact, some of the files weren’t known to VirusTotal until he uploaded them; at that point, various scanners would detect the malware inside.

This is not the first time that WikiLeaks has been accused of hosting malware or endangering individuals by not redacting sensitive personal information included in the leaks. Even Edward Snowden called WikiLeaks’ reluctance to even a modest curation to be a “mistake.”

Fox News previously reported that Google had been warning users about dangerous downloads from WikiLeaks right after WikiLeaks posted the Democratic National Committee email leak. For a time, Facebook had even blocked WikiLeaks. However, Bontchev said he did not find any malware in the DNC dump.

In March 2015, security researcher Josh Wieder warned that the “Global Intelligence Files” published by WikiLeaks were “loaded with malicious software.” Wieder warned there could also be malware included in other leaks. He told Hacked that WikiLeaks could be used as a “deliberate distribution mechanism.” He suggested, “Someone who wants to identify not just members of WikiLeaks, but their readers, this would absolutely be the way to do it.”

That brings us to another possibility. What if some of the emails were just part of a long-range plan and advanced persistent threat (APT)? It wouldn’t be unheard of for a zero-day exploit to be aimed at an especially juicy target, meaning not all browsers or antivirus solutions will block all threats. They can’t block it if the vulnerability is not yet publicly known.

Bontchev told Computerworld:

We kinda got lucky this time. But the next time a government targeting journalists might “leak” some interesting-looking documents that are booby-trapped to install spyware or RATs (remote administration tools) on the computers of the journalists who download and open them. That's why journalists must be always very suspicious of such sources and open the documents only in “safe” environments (e.g., a Chromebook not connected to the Internet, which is wiped clean after the text of the documents has been inspected).

You might want to keep that one in mind and use caution when browsing dumps on WikiLeaks, which for example, said it already has the archive of NSA-linked cyber weapons that are being auctioned by Shadow Brokers; WikiLeaks intends to release a “pristine copy in due course.”

Although Bontchev doesn’t have anything against WikiLeaks, he said:

It seems that Wikileaks' concept of “journalism” is finding an interesting-looking document in a garbage container and dumping the contents of the entire container at your front door.

Please understand me correctly – I have great respect for the idea WikiLeaks is based on. The world needs an independent journalist organization that reveals the shady dealings of governments and corporations. However, dumping everything without any kind of curation is simply irresponsible! There is no reason to distribute malware or personal information. A responsible investigative journalist researches the subject, verifies the claims made by his sources, synthesizes the information and presents it to the reader. A responsible journalist doesn't dump raw garbage on their readers. I understand that WikiLeaks has very limited resources – but at the very least they could run a virus scanner on those e-mails!

WikiLeaks, come on, please run a virus scan before releasing a dump. I personally don’t want infected and I don’t know anyone who does. That also doesn’t imply we won’t read and possibly report on the leaks. As Bontchev said of running a scan before dumping the dirt, “At least this will filter out the run-of-the-mill known malware. It's simply something they owe to their readers.”